US6704870B2 - Digital signatures on a Smartcard - Google Patents

Digital signatures on a Smartcard Download PDF

Info

Publication number
US6704870B2
US6704870B2 US09/942,492 US94249201A US6704870B2 US 6704870 B2 US6704870 B2 US 6704870B2 US 94249201 A US94249201 A US 94249201A US 6704870 B2 US6704870 B2 US 6704870B2
Authority
US
United States
Prior art keywords
signature
point
message
value
curve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime, expires
Application number
US09/942,492
Other versions
US20020095583A1 (en
Inventor
Scott A. Vanstone
Alfred J. Menezes
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Certicom Corp
Original Assignee
Certicom Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
US case filed in Texas Eastern District Court litigation Critical https://portal.unifiedpatents.com/litigation/Texas%20Eastern%20District%20Court/case/2%3A07-cv-00216 Source: District Court Jurisdiction: Texas Eastern District Court "Unified Patents Litigation Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
First worldwide family litigation filed litigation https://patents.darts-ip.com/?family=24537188&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US6704870(B2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Priority to US09/942,492 priority Critical patent/US6704870B2/en
Application filed by Certicom Corp filed Critical Certicom Corp
Publication of US20020095583A1 publication Critical patent/US20020095583A1/en
Priority to US10/765,976 priority patent/US20050039023A1/en
Publication of US6704870B2 publication Critical patent/US6704870B2/en
Application granted granted Critical
Assigned to CERTICOM CORP. reassignment CERTICOM CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MENEZES, ALFRED J.
Priority to US11/563,017 priority patent/US20070177726A1/en
Assigned to CERTICOM CORP. reassignment CERTICOM CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MENEZES, ALFRED J.
Priority to US12/135,865 priority patent/US20080310625A1/en
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0806Details of the card
    • G07F7/0813Specific details related to card security
    • G07F7/082Features insuring the integrity of the data on or in the card
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to methods and apparatus for generating digital signatures.
  • the signature must be performed such that the signing party's secret key cannot be determined.
  • ATMs Automated teller machines
  • credit cards i.e. credit/debit cards or pass cards are now available with limited computing capacity (so-called “Smart Cards”) but these do not have sufficient computing capacity to implement existing digital signature protocols in a commercially viable manner.
  • DSS Diffie Helman Public key protocol
  • p is a large prime.
  • p must be in the order of 512 bits although the resultant signature may be reduced mod q, where q divides p ⁇ 1, and may be in the order of 160 bits.
  • the DSS protocol provides a signature composed of two components r, s.
  • the protocol requires the selection of a secret random integer k referred to as the session key from the set of integers (0,1,2, . . . q ⁇ 1), i.e.
  • the component r is then computed such that
  • is a generator of q.
  • the component s is computed as
  • h(m) is a hash of that message
  • a is the private key of the user.
  • the signature associated with the message is then s,r which may be used to verify the origin of the message from the public key of the user.
  • ⁇ k is computationally difficult for the DSS implementation as the exponentiation requires multiple multiplications mod p. This is beyond the capabilities of a “Smart Card” in a commercially acceptable time. Although the computation could be completed on the associated ATM, this would require the disclosure of the session key k to the ATM and therefore render the private key, a, vulnerable.
  • An alternative encryption scheme that provides enhanced security at relatively small modulus is that utilizing elliptic curves in the finite field 2 m .
  • a value of m in the order of 155 provides security comparable to a 512 bit modulus for DSS and therefore offers significant benefits in implementation.
  • Diffie Helman Public Key encryption utilizes the properties of discrete logs so that even if a generator ⁇ and the exponentiation ⁇ k is known, the value of k cannot be determined.
  • a similar property exists with elliptic curves where the addition of two points on a curve produces a third point on the curve. Similarly, multiplying any point on the curve by an integer k produces a further point on the curve. However, knowing the starting point and the end point does not reveal the value of the integer ‘k’ which may then be used as a session key for encryption.
  • the value kP where P is an initial known point, is therefore equivalent to the exponentiation ⁇ k .
  • One solution for both DSS and elliptic curve implementations is to store pairs of signing elements k, kP and combine stored pairs to produce a new session pair. For an elliptic curve application, this would yield a possible 500 session pairs from an initial group of 32 stored signing elements. The possibilities would be more limited when using DSS because of the smaller group of signing elements that could be stored.
  • the ATM used in association with the card has sufficient computing power to perform the computation but the transfer of the coordinates of k 1 P and k 2 P from the card to the terminal would jeopardize the integrity of subsequent digital signatures as two of the stored signing elements would be known.
  • one aspect of the present invention proposes to compute on one computing device an initial step in the computation of a coordinate of a point derived from a pair of points to inhibit recognition of the individual components, transfer such information to another computing device remote from said one device, perform at least such additional steps in said derivation at such other device to permit the completion of the derivation at said one device and transfer the result thereof to said one computing device.
  • the initial step involves a simple field operation on the two sets of coordinates which provides information required in the subsequent steps of the derivation.
  • the initial step involves the addition of the x coordinates and the addition y coordinates to provide the terms (x 1 ⁇ x 2 ) and (y 1 ⁇ y 2 ).
  • the addition of the coordinates is an XOR operation that can readily be performed on the card and the results provided to the terminal.
  • the coordinates (x,y) representing kP in a stored signing element are not disclosed as insufficient information is provided even with subsequent uses of the card. Accordingly, the x coordinate of up to 500 signatures can be generated from an initial set of 32 stored signing elements.
  • the new value of k can be computed on the card and to avoid computing the inverse k ⁇ 1 , alternative known masking techniques can be utilized.
  • a further aspect of the present invention provides a method of generating additional sets of points from the initial set that may be used individually as a new value of kP or in combination to generate still further values of kP.
  • the curve is an anomalous curve and the Frobenius Operator is applied to at least one of the coordinates representing a point in the initial set to provide a coordinate of a further point on the elliptic curve.
  • the Frobenius Operator ⁇ provides that for a point (x 1 ,y 1 ) on an anomalous curve, then ⁇ (x 1 ,y 1 ) is a point (x 1 2 ,y 1 2 ) that also lies on the curve.
  • ⁇ i (x 1 y 1 ) is a point x 2 i , y 2 i that also lies on the curve.
  • m values of kP may be generated, referred to as “derived” values.
  • the new value of k associated with each point can be derived from the initial relationship between P and ⁇ P and the initial value of k.
  • utilizing the Frobenius Operator provides in the order of 4960 possible derived values and by combining pairs of such derived values as above in the order of 10 7 values of kP can be obtained from the initial 32 stored signing elements and the corresponding values of k obtained to provide 10 7 session pairs.
  • the stored values of kP are in a normal basis representation.
  • the application Frobenius Operator then simply requires an “i” fold cyclic shift to obtain the value for an ⁇ i operation.
  • a method of generating signature components for use in a digital signature scheme said signature components including private information and a public key derived from said private information, said method comprising the steps of storing private information and related public key as an element in a set of such information, cycling in a deterministic but unpredictable fashion through said set to select at least one element of said set without repetition and utilizing said one element to derive a signature component in said digital signature scheme.
  • FIG. 1 is a schematic representation of a programmable credit card
  • FIG. 2 is a schematic representation of a transaction performed between the card and network
  • FIG. 3 is a schematic representation of the derivation of a session pair from a pair of stored signing elements
  • FIG. 4 is a schematic representation of one step in the transmission of information shown in FIG. 2;
  • FIG. 5 is a schematic representation of a preferred implementation of the derivation of a session pair from two pairs of stored values
  • FIG. 6 is a schematic representation of a selection unit shown in FIG. 1;
  • FIG. 7 is a schematic representation of a further embodiment of the derivation of session pairs from stored values
  • FIG. 8 is an alternative schematic to the embodiment of FIG. 7.
  • FIG. 9 is yet another alternative schematic to the embodiment of FIG. 7 .
  • a programmable credit card 10 (referred to as a ‘SMART’ card) has an integrated circuit 12 embedded within the body of card 10 .
  • the integrated circuit includes a logic array 14 , an addressable memory 16 and a communication bus 18 .
  • the memory 16 includes a RAM section 20 to store information, a pair of cyclic shift registers 22 for temporary storage of information and programming code 24 for control of the logic array 14 and communication bus 18 .
  • the array 14 includes an arithmetic unit 26 to provide modular arithmetic operation, e.g. additional and multiplication, and a selection unit 28 controlled by the programming code 24 . It will be appreciated that the description of the card 10 is a schematic and restricted to that necessary for explanation of the preferred embodiment of the invention.
  • the card 10 is used in conjunction with a terminal 30 , for example an automated teller machine (ATM), that is connected to a network to allow financial transactions to be conducted.
  • the terminal 30 includes a keypad 32 to select options and tasks and has computing capabilities to perform the necessary functions in conjunction with the card 10 .
  • Access to the terminal 30 is obtained by inserting card 10 into a reader 34 and entering a pass code in a conventional manner.
  • the pass code is verified with the card 10 through communication bus 18 and the terminal 30 activated.
  • the keypad 32 is used to select a transaction, for example a transfer of funds, between accounts and generate a message through the network to give effect to the transactions, and card 10 is used to sign that transaction to indicate its authenticity.
  • the signature and message are transmitted over the network to the intended recipient and upon receipt and verification, the transaction is completed.
  • the RAM section 20 also includes a predetermined set of coordinates of points, kP, on an elliptic curve that has been preselected for use in a public key encryption scheme. It is preferred that the curve is over a finite field 2 m , conveniently, and by way of example only, 2 155 , and that the points kP are represented in normal basis representation.
  • Each point kP has an x coordinate and a y coordinate and is thus represented as two 155 digital data strings that are stored in the RAM 20 .
  • the RAM 20 contains 32 such points identified generically as kP and individually as k 0 P,k 1 P . . . k 31 P.
  • their coordinates (x,y) will be individually designated x 0 y 0 . . . x 31 y 31 .
  • the points kP are precomputed from the chosen parameters of the curve and the coordinates of an originating point P.
  • the k-fold addition of point P will provide a further point kP on the curve, represented by its coordinates (x,y) and the value of k cannot be determined even if the coordinates of points P and kP are known.
  • RAM 20 therefore contains the values of k associated with the respective points kP so that a set of stored signing elements k,kP is available for use in the signing of the transaction.
  • one session pair k j ; k j P is required and may be obtained from RAM 20 as set out more fully below. Assuming that values k j , k j P have been obtained, the signing protocol requires a signature r,s) where
  • r is the data string representing the x-coordinate, x j reduced mod q (q is a preselected publicly known divisor of e, the order of the curve, i.e. q/e x );and
  • s [k ⁇ 1 (h(m))+ar] mod q
  • h(m) is a q-bit hash of the message m generated by the transaction.
  • the signature (r,s 1 ,u) can be computed on the card 10 and forwarded by bus 18 to the terminal 30 for attachment to the message m.
  • two techniques are used to generate additional session pairs to the stored signing elements. It will be appreciated that each technique may be used individually although the combination of the two is preferred.
  • the first technique involves the use of the Frobenius Operator to derive additional session pairs from the stored signing elements and is shown in FIG. 3 .
  • there are 155 Frobenius Operators so each point kP stored in memory 20 may generate 155 points on the curve by application of the Frobenius Operators.
  • ⁇ i P it is simply necessary to load the x and y coordinates of a point kP into respective shift registers 22 and perform an i-fold cyclic shift. Because the coordinates (x,y) have a normal basis representation, a cyclic shift in the register 22 will perform a squaring operation, and an i-fold cyclic shift will raise the value to the power 2 i . Therefore, after the application of i clock cycles, the registers 22 contain the coordinates of ⁇ i (kP) which is a point on the curve and may be used in the signing protocol. The 155 possible values of the coordinates (x,y) of ⁇ i (kP) may be obtained by simple cyclic shifting. The representations in the registers 22 may then be used to obtain r.
  • is a constant that may be evaluated ahead of time and the values of its first m powers, ⁇ ′ computed.
  • the m values are stored in RAM 20 .
  • ⁇ i (kP) ⁇ i kP so the value of k associated with ⁇ i (kP) is ⁇ i k. Since k is stored for each value of kP in RAM 20 and ⁇ i is also stored, the new value of k, i.e. ⁇ i k, can be computed using the arithmetic unit 26 .
  • ⁇ i As an alternative, to facilitate efficient computation of ⁇ i and avoid excessive storage, it is possible to precompute specific powers of ⁇ and store them in RAM 20 . Because m is 155 in the specific example, the possible values of i can be represented as an 8-bit binary word. The values of ⁇ 2 ⁇ 2 7 are thus stored in RAM 20 and the value of ⁇ represented in binary. The prestored values of ⁇ 2 i are then retrieved as necessary and multiplied mode by arithmetic unit 26 to provide the value of ⁇ i . This is then multiplied by k to obtain the new value associated with ⁇ i (kP).
  • new session pairs k, kP may be derived simply and efficiently from the stored signing elements of the initial set. These session pairs may be computed in real time, thereby obviating the need to increase storage capacity and their computation utilizes simple arithmetic operations that may be implemented in arithmetic unit 26 .
  • a further technique, illustrated schematically in FIG. 4, to increase the number of session pairs of k and kP available, and thereby increase the number of signatures available from a card, is to combine pairs of stored signing elements to produce a new derived value.
  • the addition of two points k 1 P and k 2 P will produce a third point k 3 P that also lies on the curve and may therefore be used for signatures.
  • y 1 ⁇ y 2 and x 1 ⁇ x 2 is an XOR field operation that may be performed simply in logic array 16 .
  • the respective values of x 1 ,x 2 and y 1 ,y 2 are placed in respective ones of registers 22 and XOR'd.
  • the resultant data string is then passed over communication bus 16 to the terminal 30 .
  • the terminal 30 has sufficient computing capacity to perform the inversion, multiplication and summation to produce the value of X 3 . This is then returned to register 22 for signature.
  • the potential disclosure of x 3 does not jeopardize the security of the signature as the relevant portion is disclosed in the transmission of r.
  • the value of k 1 +k 2 is obtained from the arithmetic unit 26 within logic array 16 to provide a value of k 3 and hence a new session pair k 3 , k 3 P is available for signature.
  • the arithmetic functions performed on the card are relatively simple and those computationally more difficult are performed on the terminal 30 .
  • the above technique may of course be used with pairs selected directly from the stored signing elements or with the derived values obtained using the Frobenius Operator as described above.
  • the Frobenius Operator could be applied to the value of kP obtained from combining pairs of the stored signing elements to provide m possible values of each derived value.
  • only one of the stored signing elements should have the Frobenius Operator applied, as in the preferred embodiment illustrated in FIG. 5 .
  • the coordinates x 1 ,y 1 of one of the stored signing elements is applied to the registers 22 and cyclically shifted i times to provide ⁇ i k 1 P.
  • the respective coordinates, x ⁇ 1 ,y ⁇ 1 are XOR'd with the coordinates from another of the stored values k 2 P and the summed coordinates transmitted to ATM 30 for computation of the coordinate x 3 . This is retransmitted to the card 10 for computation of the value r.
  • the value of k 1 is processed by arithmetic unit 26 to provide ⁇ i k and added to k 2 to provide the new value k 3 for generation of signature component s.
  • arithmetic unit 26 receives the value of k 1 from an original set of 32 stored signing elements stored on card 10 . It is possible to generate in the order of 10 7 session pairs. In practice, a limit of 10 6 is realistic.
  • the above procedure requires a pair of stored signing elements to be used to generate each session pair.
  • the same set cannot be used more than once and the pairs of stored values constituting the set must not be selected in a predictable manner.
  • This selection function is performed by the selection unit 28 whose operation is shown schematically in FIG. 6 .
  • Selection unit 28 includes a set of counters 40 , 42 , 44 whose outputs address respective look up tables 46 , 48 , 50 .
  • the look up tables 46 , 48 , 50 map the successive outputs of the counters to pseudo random output values to provide unpredictability for the selection stored signing elements.
  • the 32 stored values of k and kP are assigned nominal designations as elements in a set 52 ranging from ⁇ 15 to +15 with one designated ⁇ . To ensure that all available combinations of stored values are used without repetition, the nominal designations are grouped in 16 pairs in an ordered array 54 such that the difference (mod 31 ) in the assigned values of a pair uses all the numbers from 1 to 30 . ⁇ is grouped with 0. This array provides a first row of a notional matrix.
  • Successive rows 54 a,b,c, etc. of the notional matrix are developed by adding 1 to each assigned designation of the preceding row until 15 rows are developed. In this way a matrix is developed without repetition of the designations in each cell.
  • ⁇ +1 ⁇ .
  • Counter 42 will have a full count after 15 increments and counter 40 will have a full count after 14 increments.
  • the full count values of counters 40 , 42 are relatively prime and the possible values of the counter 50 to select Frobenius Operator are relatively large, the output of counters 40 , 42 , 44 are mapped through the tables 46 , 48 , 50 respectively to provide values for row and column of the notional matrix and the order i of the Frobenius Operator to be applied.
  • the output of counter 48 selects a column of the array 54 from which a designation associated with a starting pair can be ascertained.
  • the output of counter 42 is mapped by table 48 to provide an output of 3, indicating that column 3 of array 54 should be selected.
  • the output of counter 40 is mapped through table 46 to provide a count of 3 indicating that values in row 3 of the matrix should be used.
  • the assigned designations for a particular row are then obtained by adding the row value to the values of the starting pair. This gives a new pair of assigned designations that indicate the locations of elements in set 52 .
  • the signing elements are then retrieved from the set 52 .
  • One of those pairs of signing elements is then output to a shift register 22 and operated upon by the designated Frobenius Operator ⁇ .
  • the value of the Frobenius Operation is obtained from the output of table 50 which maps counter 44 .
  • the value obtained from table 5 sets the shift clock associated with register 22 so that the contents of the register 22 are cyclically shifted to the Frobenius value ⁇ indicated by the output of table 50 .
  • a new value for kP is obtained.
  • the associated value of k can be computed as described above with the arithmetic unit utilizing the output of table 50 to determine the new value of ⁇ . Accordingly, a derived value is obtained.
  • the derived value and signing element are then combined as described at (ii) above to provide a new session pair k, kP for use in the signing process.
  • the use of the counters 40 , 42 provides input values for the respective tables so that the array 54 is accessed in a deterministic but unpredictable fashion.
  • the grouping of the pairs in the array 54 ensures there is no repetition in the selected elements to maintain the integrity of the signature scheme.
  • Counter 44 operates upon one of the selected pairs to modify it so that a different pair of values is presented for combination on each use, even though multiple access may be made to the array 54 .
  • the counters 40 , 42 , 44 may also be utilized to limit the use of the Smart Card if desired so that a forced expiry will occur after a certain number of uses. Given the large number of possible signatures, this facility may be desirable.
  • look up tables 46 , 48 , 50 may be utilized, such as a linear feedback shift register, to achieve a mapped output if preferred.
  • Further selection of the session pairs can be obtained by preprocessing of the contents of register 52 using one or more of the techniques shown in FIGS. 7, 8 or 9 .
  • a source row ‘s’ is selected and the session pair k s ,k s P read from the register.
  • a function is applied to the session pair, which for example is the Frobenius operation as set out in FIG. 3 to provide a new session pair ⁇ i k s ; ⁇ i (k s P).
  • a destination row, d is then selected in the table 52 and the new session pair combined with the contents of that row to generate a new pair of values. The contents of the table 52 are thus updated and a selection of pairs may be made for the generation of a new session pair as described above.
  • the preprocessing may be repeated a number of times with different source rows s, and destinations, d, so that a thorough mixing is obtained.
  • the selection of source rows, s, and destinations, d, may be selected deterministically using the counters 40 , 42 .
  • an alternative function may be applied to the selected row. For example, a sign may be applied to the selected row prior to accumulation of a destination.
  • FIG. 8 An alternative embodiment is shown in FIG. 8 where multiple source rows s 1 . . . s n are used and the selected session pairs combined. Typically two source rows are used but more than two can be combined if preferred. In this case the combining may proceed as shown in FIG. 5 and the new value accumulated at the destination row, d, of the register. As the x coordinate of the combined point will identify one of the coordinates in the register 52 , it is preferred to perform the computation on the card where feasible.
  • the selected session pairs may be modified prior to or subsequent to their addition by application of a second function, e.g. signing, (as shown in ghosted outline) to provide further security in the updating of the register 52 .
  • a second function e.g. signing, (as shown in ghosted outline) to provide further security in the updating of the register 52 .
  • an initial set of session pairs is injected into the register 52 of each card 10 .
  • a random number generator 60 is run for an initial period and its output used to select the source and destination rows of the register 52 .
  • the source row is accumulated with the destination now so that the session pair of the set are changed with each iteration.
  • a function such as a sign or a Frobenius operation may be applied to the selected session pair before accumulation.
  • the mixing continues for a further period with the output of generator 60 being used periodically to select each row.
  • the session pairs may be selected and combined as described above for FIG. 6 .
  • the sets of session pairs in each register 52 will also vary from device to device. Therefore the same initial table may be used but different session pairs will be generated.
  • pairs of signing elements from an initial set of stored values can be selected in a deterministic and unpredictable manner and one of those elements operated upon by the Frobenius Operator to provide additional values for the elements.
  • the elements may then be combined to obtain a new session pair with a portion of the computation being performed off card but without disclosing the value of the elements. Accordingly, an extended group of session pairs is available for signing from a relatively small group of stored values.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Accounting & Taxation (AREA)
  • Signal Processing (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Finance (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Credit Cards Or The Like (AREA)

Abstract

A digital signature scheme for a “smart” card utilizes a set of prestored signing elements and combines pairs of the elements to produce a new session pair. The combination of the elements is performed partly on the card and partly on the associated transaction device so that the exchange of information between card and device does not disclose the identity of the signing elements. The signing elements are selected in a deterministic but unpredictable manner so that each pair of elements is used once. Further signing pairs are generated by implementing the signing over an anomalous elliptic curve encryption scheme and applying a Frobenius Operator to the normal basis representation of one of the elements.

Description

This application is a continuation of U.S. continuation-in-part application Ser. No. 09/434,247 and claims priority from U.S. application Ser. No. 08/632,845, now U.S. Pat. No. 5,999,626.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to methods and apparatus for generating digital signatures.
2. Discussion of Related Art
It has become widely accepted to conduct transactions, such as financial transactions or exchange of documents, electronically. In order to verify the transaction, it is also well known to “sign” the transaction digitally so that the authenticity of the transaction can be verified. The signature is performed according to a protocol that utilizes the message, i.e. the transaction, and a secret key associated with the party. The recipient can verify the signature using a public key of the signing party to recover the message and compare it with the transmitted message. Any attempt to tamper with the message or to use a key other than that of the signing party will result in an incompatibility between the sent message and that recovered from the signature or will fail to identify the party correctly and thereby lead to rejection of the transaction.
The signature must be performed such that the signing party's secret key cannot be determined. To avoid the complexity of distributing secret keys, it is convenient to utilize a public key encryption scheme in the generation of the signature. Such capabilities are available where the transaction is conducted between parties having access to relatively large computing resources but it is equally important to facilitate such transactions at an individual level where more limited computing resources are available.
Automated teller machines (ATMs) and credit cards are widely used for personal transactions and as their use expands, so the need to verify such transactions increases. Transaction cards, i.e. credit/debit cards or pass cards are now available with limited computing capacity (so-called “Smart Cards”) but these do not have sufficient computing capacity to implement existing digital signature protocols in a commercially viable manner.
As noted above, in order to generate a digital signature, it is necessary to utilize a public key encryption scheme. Most public key schemes are based on the Diffie Helman Public key protocol and a particularly popular implementation is that known as DSS. The DSS scheme utilizes the set of integers Zp where p is a large prime. For adequate security, p must be in the order of 512 bits although the resultant signature may be reduced mod q, where q divides p−1, and may be in the order of 160 bits.
The DSS protocol provides a signature composed of two components r, s. The protocol requires the selection of a secret random integer k referred to as the session key from the set of integers (0,1,2, . . . q−1), i.e.
kε{0,1,2, . . . q−1}.
The component r is then computed such that
r={β kmod p} mod q
where β is a generator of q.
The component s is computed as
s −[k −1 (h(m))+ar] mod q
where m is the message to be transmitted,
h(m) is a hash of that message, and
a is the private key of the user.
The signature associated with the message is then s,r which may be used to verify the origin of the message from the public key of the user.
The value βk is computationally difficult for the DSS implementation as the exponentiation requires multiple multiplications mod p. This is beyond the capabilities of a “Smart Card” in a commercially acceptable time. Although the computation could be completed on the associated ATM, this would require the disclosure of the session key k to the ATM and therefore render the private key, a, vulnerable.
It has been proposed to precompute βk and store sets of values of r and k on the card. The generation of the signature then only requires two 160 bit multiplications and signing can be completed within ½ second for typical applications. However, the number of sets of values stored limits the number of uses of the card before either reloading or replacement is required. A problem that exists therefore is how to generate sufficient sets of values within the storage and/or computing capacity of the card.
One possibility is to use a smaller value of p but with the DSS scheme this will jeopardize the security of the transaction.
An alternative encryption scheme that provides enhanced security at relatively small modulus is that utilizing elliptic curves in the finite field 2m. A value of m in the order of 155 provides security comparable to a 512 bit modulus for DSS and therefore offers significant benefits in implementation.
Diffie Helman Public Key encryption utilizes the properties of discrete logs so that even if a generator β and the exponentiation βk is known, the value of k cannot be determined. A similar property exists with elliptic curves where the addition of two points on a curve produces a third point on the curve. Similarly, multiplying any point on the curve by an integer k produces a further point on the curve. However, knowing the starting point and the end point does not reveal the value of the integer ‘k’ which may then be used as a session key for encryption. The value kP, where P is an initial known point, is therefore equivalent to the exponentiation βk.
In order to perform a digital signature on an elliptic curve, it is necessary to have available the session key k and a value of kP referred to as a “session pair”. Each signature utilizes a different session pair k and kP and although the representation of k and kP is relatively small compared with DSS implementations, the practical limits for “Smart Cards” are in the order of 32 signatures. This is not sufficient for commercial purposes.
One solution for both DSS and elliptic curve implementations is to store pairs of signing elements k, kP and combine stored pairs to produce a new session pair. For an elliptic curve application, this would yield a possible 500 session pairs from an initial group of 32 stored signing elements. The possibilities would be more limited when using DSS because of the smaller group of signing elements that could be stored.
In order to compute a new session pair, k and kP, from a pair of stored signing elements, it is necessary to add the values of k, e.g. k1+k2→k and the values of k1P and k2P to give a new value kP. In an elliptic curve, the addition of two points to provide a third point is performed according to set formula such that the addition of a point k2P having coordinates (x,y) and a point k1P having coordinates (x2y2) provides a point k3P whose x coordinate x3 is given by: x 3 = y 1 y 2 2 y 1 y 2 x 1 x 2 . x 1 x 2 x 1 x 2
Figure US06704870-20040309-M00001
This computation may be significantly simplified using the normal basis representation in a field F2m, as set out more fully in our PCT Application Serial No.
PCT/CA/9500452, the contents of which are incorporated herein by reference. However, even using such advantageous techniques, it is still necessary to utilize a finite field multiplier and provide sufficient space for code to perform the computation. This is not feasible within the practical limits of available “Smart” cards.
As noted above, the ATM used in association with the card has sufficient computing power to perform the computation but the transfer of the coordinates of k1P and k2P from the card to the terminal would jeopardize the integrity of subsequent digital signatures as two of the stored signing elements would be known.
SUMMARY OF THE INVENTION
It is therefore an object of the present invention to obviate or mitigate the above disadvantages and facilitate the preparation of additional pairs of values from a previously stored set.
In general terms, one aspect of the present invention proposes to compute on one computing device an initial step in the computation of a coordinate of a point derived from a pair of points to inhibit recognition of the individual components, transfer such information to another computing device remote from said one device, perform at least such additional steps in said derivation at such other device to permit the completion of the derivation at said one device and transfer the result thereof to said one computing device.
Preferably, the initial step involves a simple field operation on the two sets of coordinates which provides information required in the subsequent steps of the derivation.
Preferably also the additional steps performed at the other device complete the derivation.
In a preferred embodiment, the initial step involves the addition of the x coordinates and the addition y coordinates to provide the terms (x1⊕x2) and (y1⊕y2).
The addition of the coordinates is an XOR operation that can readily be performed on the card and the results provided to the terminal.
In this manner, the coordinates (x,y) representing kP in a stored signing element are not disclosed as insufficient information is provided even with subsequent uses of the card. Accordingly, the x coordinate of up to 500 signatures can be generated from an initial set of 32 stored signing elements.
The new value of k can be computed on the card and to avoid computing the inverse k−1, alternative known masking techniques can be utilized.
A further aspect of the present invention provides a method of generating additional sets of points from the initial set that may be used individually as a new value of kP or in combination to generate still further values of kP.
According to this aspect of the invention, the curve is an anomalous curve and the Frobenius Operator is applied to at least one of the coordinates representing a point in the initial set to provide a coordinate of a further point on the elliptic curve. The Frobenius Operator Ø provides that for a point (x1,y1) on an anomalous curve, then Ø (x1,y1) is a point (x1 2,y1 2) that also lies on the curve. In general, Øi(x1y1) is a point x2 i , y2 i that also lies on the curve. For a curve over the field 2 m, there are m Frobenius Operators so for each value of kP stored in the initial set, m values of kP may be generated, referred to as “derived” values. The new value of k associated with each point can be derived from the initial relationship between P and ØP and the initial value of k.
For a practical implementation where 32 pairs of signing elements are initially retained on the card and the curve is over the field 2 155, utilizing the Frobenius Operator provides in the order of 4960 possible derived values and by combining pairs of such derived values as above in the order of 107 values of kP can be obtained from the initial 32 stored signing elements and the corresponding values of k obtained to provide 107 session pairs.
Preferably, the stored values of kP are in a normal basis representation. The application Frobenius Operator then simply requires an “i” fold cyclic shift to obtain the value for an Øi operation.
According to a further aspect of the invention, there is provided a method of generating signature components for use in a digital signature scheme, said signature components including private information and a public key derived from said private information, said method comprising the steps of storing private information and related public key as an element in a set of such information, cycling in a deterministic but unpredictable fashion through said set to select at least one element of said set without repetition and utilizing said one element to derive a signature component in said digital signature scheme.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other object and advantages of the present invention will become apparent from the following description when read in conjunction with the accompanying drawings wherein:
FIG. 1 is a schematic representation of a programmable credit card;
FIG. 2 is a schematic representation of a transaction performed between the card and network;
FIG. 3 is a schematic representation of the derivation of a session pair from a pair of stored signing elements;
FIG. 4 is a schematic representation of one step in the transmission of information shown in FIG. 2;
FIG. 5 is a schematic representation of a preferred implementation of the derivation of a session pair from two pairs of stored values;
FIG. 6 is a schematic representation of a selection unit shown in FIG. 1;
FIG. 7 is a schematic representation of a further embodiment of the derivation of session pairs from stored values;
FIG. 8 is an alternative schematic to the embodiment of FIG. 7; and
FIG. 9 is yet another alternative schematic to the embodiment of FIG. 7.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT The System
Referring therefore to FIG. 1, a programmable credit card 10 (referred to as a ‘SMART’ card) has an integrated circuit 12 embedded within the body of card 10.
The integrated circuit includes a logic array 14, an addressable memory 16 and a communication bus 18. The memory 16 includes a RAM section 20 to store information, a pair of cyclic shift registers 22 for temporary storage of information and programming code 24 for control of the logic array 14 and communication bus 18. The array 14 includes an arithmetic unit 26 to provide modular arithmetic operation, e.g. additional and multiplication, and a selection unit 28 controlled by the programming code 24. It will be appreciated that the description of the card 10 is a schematic and restricted to that necessary for explanation of the preferred embodiment of the invention.
The card 10 is used in conjunction with a terminal 30, for example an automated teller machine (ATM), that is connected to a network to allow financial transactions to be conducted. The terminal 30 includes a keypad 32 to select options and tasks and has computing capabilities to perform the necessary functions in conjunction with the card 10.
Access to the terminal 30 is obtained by inserting card 10 into a reader 34 and entering a pass code in a conventional manner. The pass code is verified with the card 10 through communication bus 18 and the terminal 30 activated. The keypad 32 is used to select a transaction, for example a transfer of funds, between accounts and generate a message through the network to give effect to the transactions, and card 10 is used to sign that transaction to indicate its authenticity. The signature and message are transmitted over the network to the intended recipient and upon receipt and verification, the transaction is completed.
The Card
The RAM section 20 of memory 16 includes digital data string representing a private key, a, which remains secret with the owner of the card and a corresponding public key Q=aP where P is the publicly known initial point on the selected curve. The RAM section 20 also includes a predetermined set of coordinates of points, kP, on an elliptic curve that has been preselected for use in a public key encryption scheme. It is preferred that the curve is over a finite field 2 m, conveniently, and by way of example only, 2 155, and that the points kP are represented in normal basis representation. The selected curve should be an anomalous curve, e.g. a curve that satisfies y2+xy=x3+1, and has an order, e. Each point kP has an x coordinate and a y coordinate and is thus represented as two 155 digital data strings that are stored in the RAM 20. By way of example, it will be assumed that the RAM 20 contains 32 such points identified generically as kP and individually as k0P,k1P . . . k31P. Similarly, their coordinates (x,y) will be individually designated x0y0 . . . x31y31.
The points kP are precomputed from the chosen parameters of the curve and the coordinates of an originating point P. The k-fold addition of point P will provide a further point kP on the curve, represented by its coordinates (x,y) and the value of k cannot be determined even if the coordinates of points P and kP are known.
RAM 20 therefore contains the values of k associated with the respective points kP so that a set of stored signing elements k,kP is available for use in the signing of the transaction.
Signing
To sign a message m generated by the transaction, one session pair kj; kjP is required and may be obtained from RAM 20 as set out more fully below. Assuming that values kj, kjP have been obtained, the signing protocol requires a signature r,s) where
r is the data string representing the x-coordinate, xj reduced mod q (q is a preselected publicly known divisor of e, the order of the curve, i.e. q/ex);and
s=[k−1(h(m))+ar] mod q where h(m) is a q-bit hash of the message m generated by the transaction.
In this signature, even though r is known, s contains the secret k and the private key, a, and so inhibits the extraction of either.
The generation of s requires the inversion of the value k and since k is itself to be derived from the stored set of values of k, it is impractical to store corresponding inverted values of possible k's. Accordingly, a known masking technique is used to generate components r, s1 and u of a signature. This is done by selecting an integer, c, and computing a value u=ck. The value s−1=c(h(m)+ar) mod q.
The signature value s can then be obtained by the recipient computing s1u−1=k−1 [h(m)+ar].
The signature (r,s1,u) can be computed on the card 10 and forwarded by bus 18 to the terminal 30 for attachment to the message m.
Generation of Session Pair
As noted above, in order to generate the signature (r,s), it is necessary to have for session pair k and kP. Security dictates that each session pair is only used once and it is assumed that the number of signing elements stored in RAM 20 is insufficient for commercial application.
In the preferred embodiment, two techniques are used to generate additional session pairs to the stored signing elements. It will be appreciated that each technique may be used individually although the combination of the two is preferred.
(i) Frobenius Operator
The first technique involves the use of the Frobenius Operator to derive additional session pairs from the stored signing elements and is shown in FIG. 3. The Frobenius Operator denoted Ø operates on a point P having coordinates (x,y) on an anomalous elliptic curve in the finite field 2 m such that Øip =(x2 i ,y2 i ). Moreover, the point ØiP is also on the curve. In the field 2 155, there are 155 Frobenius Operators so each point kP stored in memory 20 may generate 155 points on the curve by application of the Frobenius Operators. Thus, for the 32 values of kP stored, there are 4960 possible values of kP available by application of the Frobenius Operator.
To derive the value of ØiP, it is simply necessary to load the x and y coordinates of a point kP into respective shift registers 22 and perform an i-fold cyclic shift. Because the coordinates (x,y) have a normal basis representation, a cyclic shift in the register 22 will perform a squaring operation, and an i-fold cyclic shift will raise the value to the power 2 i. Therefore, after the application of i clock cycles, the registers 22 contain the coordinates of Øi(kP) which is a point on the curve and may be used in the signing protocol. The 155 possible values of the coordinates (x,y) of Øi(kP) may be obtained by simple cyclic shifting. The representations in the registers 22 may then be used to obtain r.
Where the use of Frobenius Operator provides sufficient values for commercial use, only one coordinate is needed to compute the value of r and so only a single shift register is needed. However, as will be described below, further session pairs can be derived if both the coordinates are known and so a pair of registers is provided.
For each value of Øi(kP), it is necessary to obtain the corresponding value of k Ø(P)=λP. λ is a constant that may be evaluated ahead of time and the values of its first m powers, λ′ computed. The m values are stored in RAM 20.
In general, Øi(kP)→λikP so the value of k associated with Øi(kP) is λik. Since k is stored for each value of kP in RAM 20 and λi is also stored, the new value of k, i.e. λik, can be computed using the arithmetic unit 26.
As an alternative, to facilitate efficient computation of λi and avoid excessive storage, it is possible to precompute specific powers of λ and store them in RAM 20. Because m is 155 in the specific example, the possible values of i can be represented as an 8-bit binary word. The values of λ2→λ2 7 are thus stored in RAM 20 and the value of λ represented in binary. The prestored values of λ2 i are then retrieved as necessary and multiplied mode by arithmetic unit 26 to provide the value of λi. This is then multiplied by k to obtain the new value associated with Øi(kP).
It will be seen therefore that new session pairs k, kP may be derived simply and efficiently from the stored signing elements of the initial set. These session pairs may be computed in real time, thereby obviating the need to increase storage capacity and their computation utilizes simple arithmetic operations that may be implemented in arithmetic unit 26.
(ii) Combining Pairs
A further technique, illustrated schematically in FIG. 4, to increase the number of session pairs of k and kP available, and thereby increase the number of signatures available from a card, is to combine pairs of stored signing elements to produce a new derived value. The addition of two points k1P and k2P will produce a third point k3P that also lies on the curve and may therefore be used for signatures.
The addition of two points having coordinates (x1,y1)(x2y2) respectively on a curve produces a new point having an x coordinate x3 where x 3 = y 1 y 2 2 y 1 y 2 x 1 x 2 . x 1 x 2 x 1 x 2
Figure US06704870-20040309-M00002
In the finite field 2 m, y1⊕y2 and x1⊕x2 is an XOR field operation that may be performed simply in logic array 16. Thus the respective values of x1 ,x2 and y1,y2 are placed in respective ones of registers 22 and XOR'd. The resultant data string is then passed over communication bus 16 to the terminal 30. The terminal 30 has sufficient computing capacity to perform the inversion, multiplication and summation to produce the value of X3. This is then returned to register 22 for signature. The potential disclosure of x3 does not jeopardize the security of the signature as the relevant portion is disclosed in the transmission of r.
The value of k1+k2 is obtained from the arithmetic unit 26 within logic array 16 to provide a value of k3 and hence a new session pair k3, k3P is available for signature.
It will be appreciated that the value for y3 has not been computed as the signing value r is derived from x3 rather than both coordinates.
It will be noted that the values of x1 and x2 or y1 and y2 are not transmitted to terminal 30 and provided a different pair of points is used for each signature, then the values of the coordinates remains undisclosed.
At the same time, the arithmetic functions performed on the card are relatively simple and those computationally more difficult are performed on the terminal 30.
Preferred Implementation of Generating Session Pairs
The above technique may of course be used with pairs selected directly from the stored signing elements or with the derived values obtained using the Frobenius Operator as described above. Alternatively, the Frobenius Operator could be applied to the value of kP obtained from combining pairs of the stored signing elements to provide m possible values of each derived value.
To ensure security and avoid duplication of session pairs, it is preferred that only one of the stored signing elements should have the Frobenius Operator applied, as in the preferred embodiment illustrated in FIG. 5.
In this arrangement, the coordinates x1,y1 of one of the stored signing elements is applied to the registers 22 and cyclically shifted i times to provide Øi k1P.
The respective coordinates, xØ 1 ,yØ 1 , are XOR'd with the coordinates from another of the stored values k2P and the summed coordinates transmitted to ATM 30 for computation of the coordinate x3. This is retransmitted to the card 10 for computation of the value r.
The value of k1 is processed by arithmetic unit 26 to provide λik and added to k2 to provide the new value k3 for generation of signature component s. In this embodiment, from an original set of 32 stored signing elements stored on card 10, it is possible to generate in the order of 107 session pairs. In practice, a limit of 106 is realistic.
Selection of Pairs Stored Signing Elements
The above procedure requires a pair of stored signing elements to be used to generate each session pair. In order to preserve the integrity of the system, the same set cannot be used more than once and the pairs of stored values constituting the set must not be selected in a predictable manner.
This selection function is performed by the selection unit 28 whose operation is shown schematically in FIG. 6.
Selection unit 28 includes a set of counters 40,42,44 whose outputs address respective look up tables 46,48,50. The look up tables 46,48,50 map the successive outputs of the counters to pseudo random output values to provide unpredictability for the selection stored signing elements.
The 32 stored values of k and kP are assigned nominal designations as elements in a set 52 ranging from −15 to +15 with one designated ∞. To ensure that all available combinations of stored values are used without repetition, the nominal designations are grouped in 16 pairs in an ordered array 54 such that the difference (mod 31) in the assigned values of a pair uses all the numbers from 1 to 30. ∞ is grouped with 0. This array provides a first row of a notional matrix.
Successive rows 54 a,b,c, etc. of the notional matrix are developed by adding 1 to each assigned designation of the preceding row until 15 rows are developed. In this way a matrix is developed without repetition of the designations in each cell. By convention ∞+1=∞.
Counter 42 will have a full count after 15 increments and counter 40 will have a full count after 14 increments. Provided the full count values of counters 40,42 are relatively prime and the possible values of the counter 50 to select Frobenius Operator are relatively large, the output of counters 40,42,44 are mapped through the tables 46,48,50 respectively to provide values for row and column of the notional matrix and the order i of the Frobenius Operator to be applied.
The output of counter 48 selects a column of the array 54 from which a designation associated with a starting pair can be ascertained. In the example of FIG. 6, the output of counter 42 is mapped by table 48 to provide an output of 3, indicating that column 3 of array 54 should be selected. Similarly, the output of counter 40 is mapped through table 46 to provide a count of 3 indicating that values in row 3 of the matrix should be used.
The assigned designations for a particular row are then obtained by adding the row value to the values of the starting pair. This gives a new pair of assigned designations that indicate the locations of elements in set 52. The signing elements are then retrieved from the set 52.
One of those pairs of signing elements is then output to a shift register 22 and operated upon by the designated Frobenius Operator Ø. The value of the Frobenius Operation is obtained from the output of table 50 which maps counter 44. The value obtained from table 5 sets the shift clock associated with register 22 so that the contents of the register 22 are cyclically shifted to the Frobenius value Ø indicated by the output of table 50.
Accordingly, a new value for kP is obtained. The associated value of k can be computed as described above with the arithmetic unit utilizing the output of table 50 to determine the new value of λ. Accordingly, a derived value is obtained.
The derived value and signing element are then combined as described at (ii) above to provide a new session pair k, kP for use in the signing process.
The use of the counters 40,42 provides input values for the respective tables so that the array 54 is accessed in a deterministic but unpredictable fashion. The grouping of the pairs in the array 54 ensures there is no repetition in the selected elements to maintain the integrity of the signature scheme.
Counter 44 operates upon one of the selected pairs to modify it so that a different pair of values is presented for combination on each use, even though multiple access may be made to the array 54.
The counters 40,42,44 may also be utilized to limit the use of the Smart Card if desired so that a forced expiry will occur after a certain number of uses. Given the large number of possible signatures, this facility may be desirable.
Alternative structures to the look up tables 46,48,50 may be utilized, such as a linear feedback shift register, to achieve a mapped output if preferred.
Further selection of the session pairs can be obtained by preprocessing of the contents of register 52 using one or more of the techniques shown in FIGS. 7, 8 or 9.
In its simplest form, as shown in FIG. 7, a source row ‘s’ is selected and the session pair ks,ksP read from the register. A function is applied to the session pair, which for example is the Frobenius operation as set out in FIG. 3 to provide a new session pair λi ks; φi (ksP). A destination row, d, is then selected in the table 52 and the new session pair combined with the contents of that row to generate a new pair of values. The contents of the table 52 are thus updated and a selection of pairs may be made for the generation of a new session pair as described above.
The preprocessing may be repeated a number of times with different source rows s, and destinations, d, so that a thorough mixing is obtained. The selection of source rows, s, and destinations, d, may be selected deterministically using the counters 40,42.
Alternatively, where the card 10 does not have adequate computing power or a curve other than an anomalous curve is used, an alternative function may be applied to the selected row. For example, a sign may be applied to the selected row prior to accumulation of a destination.
An alternative embodiment is shown in FIG. 8 where multiple source rows s1 . . . sn are used and the selected session pairs combined. Typically two source rows are used but more than two can be combined if preferred. In this case the combining may proceed as shown in FIG. 5 and the new value accumulated at the destination row, d, of the register. As the x coordinate of the combined point will identify one of the coordinates in the register 52, it is preferred to perform the computation on the card where feasible.
The selected session pairs may be modified prior to or subsequent to their addition by application of a second function, e.g. signing, (as shown in ghosted outline) to provide further security in the updating of the register 52.
Where a random number generator is incorporated on the card 10, the above preprocessing may be used effectively in the production of the cards. Referring to FIG. 9, an initial set of session pairs is injected into the register 52 of each card 10. A random number generator 60 is run for an initial period and its output used to select the source and destination rows of the register 52. The source row is accumulated with the destination now so that the session pair of the set are changed with each iteration. If preferred, a function such as a sign or a Frobenius operation may be applied to the selected session pair before accumulation. The mixing continues for a further period with the output of generator 60 being used periodically to select each row. Once the register is considered thoroughly mixed, the session pairs may be selected and combined as described above for FIG. 6. As the output of each generator 60 will vary from device to device, the sets of session pairs in each register 52 will also vary from device to device. Therefore the same initial table may be used but different session pairs will be generated.
In summary, therefore, pairs of signing elements from an initial set of stored values can be selected in a deterministic and unpredictable manner and one of those elements operated upon by the Frobenius Operator to provide additional values for the elements. The elements may then be combined to obtain a new session pair with a portion of the computation being performed off card but without disclosing the value of the elements. Accordingly, an extended group of session pairs is available for signing from a relatively small group of stored values.
While the present invention has been illustrated and described by means of a specific embodiment, it is to be understood that numerous changes and modifications can be made therein without departing from the spirit and scope of the invention.

Claims (25)

What is claimed is:
1. A method of generating a signature on a message m in an elliptic curve cryptographic system having a seed point P on an elliptic curve of order e over a finite field, said method comprising the steps of:
i) selecting as a session key an integer k and computing representation of a corresponding point kP;
ii) deriving from said representation a first signature component, r, independent of said message,m;
iii) combining said first signature component, r, with a private key, a, a value derived from said message, m, and said session key, k, to obtain a second 10 signature component, s, containing said private key, a, and said session key, k, such that extraction of either is inhibited even when said signature components, r,s, are made public; and
iv) utilizing said signature components r,s, in the signature of the message, m.
2. A method according to claim 1 wherein said value derived from said message, m, is obtained by applying a hash function to said message.
3. A method according to claim 2 wherein said second signature component, s, is of the form s=k−1{h(m)+ar} mod q, where q is a divisor of the order, e, of said elliptic curve and h(m) is said value derived by applying a hash function to said message.
4. A method according to claim 1 wherein said first signature component r is obtained by utilizing one coordinate of said point kP.
5. A method according to claim 4 wherein said one coordinate is the x coordinate of said point kP.
6. A method according to claim 5 wherein said x-coordinate is reduced mod q.
7. A method according to claim 6 wherein said signature consists of said first and second signature components.
8. A method according to claim 7 wherein said elliptic curve is an anomalous elliptic curve.
9. A method according to claim 8 wherein said anomalous curve is of the form y2=xy=x3+1.
10. A method according to claim 1 wherein an integer is derived from said representation of said point kP.
11. A method according to claim 10 wherein said integer is obtained by selecting one of said coordinates of said point kP, and reducing said coordinate mod q where q is a divisor of the order, e, of the elliptic curve.
12. A method according to claim 11 wherein said one coordinate is the x coordinate of said point kP.
13. A method according to claim 12 wherein said divisor q is preselected and publically known.
14. A method according to claim 12 wherein said value derived from said message, m, is obtained by applying a hash function to said message.
15. A method according to claim 14 wherein said value derived from said message is a q bit hash of said message.
16. A method according to claim 15 wherein said elliptic curve is an anomalous elliptic curve.
17. A method according to claim 16 wherein said elliptic curve is of the form y2+xy=x3+1.
18. A method according to claim 1 wherein said second signature component s has a value corresponding to k1{h(m)+ar} mod q.
19. A method according to claim 18 wherein a value corresponding to said second signature component s is obtained by selecting an integer, c, and computing a value, u, which equals the product of c and k and computing s=c{h(m)+ar}, said signature components on said message m including r, s, and u.
20. A method according to claim 19 wherein a value corresponding to k1{h(m)+ar} mod q is obtained by a recipient of said signature by computing the product of said second signature component, s, and an inverse of said value, u.
21. A method of generating a digital signature r, s, of a message m using an elliptic curve cryptosystem employing an elliptic curve of order e, said method comprising the steps of:
i) selecting an integer k and determining a corresponding point kP where P is point on the curve;
ii) selecting a coordinate (x) of the point kP;
iii) reducing the coordinate mod q where q is a known divisor of e, to obtain a first component r; and
iv) combining said first component, r, with a long-term private key a and 10 said integer k to obtain a second signature component s, such that extraction of either said long term private key a or said integer k is inhibited even when said signature r,s, are made public.
22. A method according to claim 21 wherein said second signature component s has the form s=k1{h(m)+ar} mod q, where h(m) is a hash of the message m.
23. A method according to claim 22 wherein said elliptic curve is an anomalous elliptic curve of the form y2+xy=x3+1.
24. A method of generating a signature r,s, of a message m performed on an elliptic curve cryptosystem implemented over an anomalous elliptic curve of the form said y2+xy=x31, method comprising the steps of:
i) performing a Frobenius operation 0 upon at least one coordinate, x, of a point kP, where k is an integer and kP is a point on the curve obtained from a k fold 6 composition of a point P on the curve, to obtain a corresponding coordinate x′ of a point k′P corresponding to Øi(kP);
ii) operating upon the integer k upon by a constant λ where Øi(kP)=λiP to obtain a value k′;
iii) utilizing the coordinate x′ to obtain a first signature component r; and
iv) combining said first signature component r with the value k′ to obtain said second signature component s.
25. A method of generating a session key pair from an initial key pair k, kP for use in a public key encryption elliptic scheme implemented over an anomalous curve of the form y2xy=x31 where k is an integer and kP is a point on the curve obtained from a k fold composition of a point P on the curve, said method comprising the steps of:
i) performing a Frobenius operation Øi upon the point kP to obtain a point k′P corresponding to Øi(kP);
ii) operating upon the integer k by a constant λ where Øi(kp)=λip to obtain a value k′ corresponding to λik; and utilizing the values k′ and k′P as a session key pair in a cryptographic operation.
US09/942,492 1996-04-16 2001-08-29 Digital signatures on a Smartcard Expired - Lifetime US6704870B2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US09/942,492 US6704870B2 (en) 1996-04-16 2001-08-29 Digital signatures on a Smartcard
US10/765,976 US20050039023A1 (en) 1996-04-16 2004-01-29 Digital signatures on a smartcard
US11/563,017 US20070177726A1 (en) 1996-04-16 2006-11-23 Digital signatures on a smartcard
US12/135,865 US20080310625A1 (en) 1996-04-16 2008-06-09 Digital signature on a smartcard

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US08/632,845 US5999626A (en) 1996-04-16 1996-04-16 Digital signatures on a smartcard
US09/434,247 US6925564B1 (en) 1996-04-16 1999-11-05 Digital signatures on a smartcard
US09/942,492 US6704870B2 (en) 1996-04-16 2001-08-29 Digital signatures on a Smartcard

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/434,247 Continuation US6925564B1 (en) 1996-04-16 1999-11-05 Digital signatures on a smartcard

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US10/765,976 Division US20050039023A1 (en) 1996-04-16 2004-01-29 Digital signatures on a smartcard

Publications (2)

Publication Number Publication Date
US20020095583A1 US20020095583A1 (en) 2002-07-18
US6704870B2 true US6704870B2 (en) 2004-03-09

Family

ID=24537188

Family Applications (6)

Application Number Title Priority Date Filing Date
US08/632,845 Expired - Lifetime US5999626A (en) 1996-04-16 1996-04-16 Digital signatures on a smartcard
US09/434,247 Expired - Fee Related US6925564B1 (en) 1996-04-16 1999-11-05 Digital signatures on a smartcard
US09/942,492 Expired - Lifetime US6704870B2 (en) 1996-04-16 2001-08-29 Digital signatures on a Smartcard
US10/765,976 Abandoned US20050039023A1 (en) 1996-04-16 2004-01-29 Digital signatures on a smartcard
US11/563,017 Abandoned US20070177726A1 (en) 1996-04-16 2006-11-23 Digital signatures on a smartcard
US12/135,865 Abandoned US20080310625A1 (en) 1996-04-16 2008-06-09 Digital signature on a smartcard

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US08/632,845 Expired - Lifetime US5999626A (en) 1996-04-16 1996-04-16 Digital signatures on a smartcard
US09/434,247 Expired - Fee Related US6925564B1 (en) 1996-04-16 1999-11-05 Digital signatures on a smartcard

Family Applications After (3)

Application Number Title Priority Date Filing Date
US10/765,976 Abandoned US20050039023A1 (en) 1996-04-16 2004-01-29 Digital signatures on a smartcard
US11/563,017 Abandoned US20070177726A1 (en) 1996-04-16 2006-11-23 Digital signatures on a smartcard
US12/135,865 Abandoned US20080310625A1 (en) 1996-04-16 2008-06-09 Digital signature on a smartcard

Country Status (3)

Country Link
US (6) US5999626A (en)
EP (2) EP0807908B1 (en)
CA (2) CA2640992A1 (en)

Cited By (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060153368A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Software for providing based on shared knowledge public keys having same private key
US20060153369A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Providing cryptographic key based on user input data
US20060153371A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Generating digital signatures using ephemeral cryptographic key
US20060156013A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature software using ephemeral private key and system
US20060156012A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Facilitating digital signature based on ephemeral private key
US20060153364A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Asymmetric key cryptosystem based on shared knowledge
US20060153370A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Generating public-private key pair based on user input data
US20060153366A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Verifying digital signature based on shared knowledge
US20060153367A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature system based on shared knowledge
US20060153365A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Providing digital signature and public key based on shared knowledge
EP1729442A2 (en) 2005-06-03 2006-12-06 Tata Consultancy Services Limited An authentication system executing an elliptic curve digital signature cryptographic process
WO2007094763A2 (en) * 2006-02-09 2007-08-23 Atmel Corporation Data security including real-time key generation
US20070217601A1 (en) * 2001-12-31 2007-09-20 Lambert Robert J Method and apparatus for elliptic curve scalar multiplication
US20080046310A1 (en) * 2004-05-19 2008-02-21 France Telecom Method and System for Generating a List Signature
US20090013188A1 (en) * 2006-01-30 2009-01-08 Koninklijke Philips Electronics N.V. Search for a Watermark in a Data Signal
US20100020968A1 (en) * 2008-01-04 2010-01-28 Arcsoft, Inc. Protection Scheme for AACS Keys
US20100125741A1 (en) * 2008-11-20 2010-05-20 Seagate Technology Llc Optical disc emulator
US8560856B2 (en) 2010-10-01 2013-10-15 Futurewei Technologies, Inc. Lightweight secure neighbor discovery protocol for low-power and lossy networks
US8631247B2 (en) 2008-11-24 2014-01-14 Certicom Corp. System and method for hardware based security
WO2019220270A1 (en) 2018-05-14 2019-11-21 nChain Holdings Limited Computer-implemented systems and methods for using a blockchain to perform an atomic swap
WO2020058806A1 (en) 2018-09-21 2020-03-26 nChain Holdings Limited Computer implemented system and method for sharing a common secret
US10652014B2 (en) 2016-02-23 2020-05-12 nChain Holdings Limited Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
US10659223B2 (en) 2016-02-23 2020-05-19 nChain Holdings Limited Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
US10715336B2 (en) 2016-02-23 2020-07-14 nChain Holdings Limited Personal device security using elliptic curve cryptography for secret sharing
WO2021005474A1 (en) 2019-07-11 2021-01-14 nChain Holdings Limited Computer-implemented system and method for facilitating transactions associated with a blockchain using a network identifier for participating entities
US11057206B2 (en) 2018-10-24 2021-07-06 Samsung Electronics Co., Ltd. Random number generator, encryption device including the same, and method of operating the encryption device
US11120437B2 (en) 2016-02-23 2021-09-14 nChain Holdings Limited Registry and automated management method for blockchain-enforced smart contracts
US11126976B2 (en) 2016-02-23 2021-09-21 nChain Holdings Limited Method and system for efficient transfer of cryptocurrency associated with a payroll on a blockchain that leads to an automated payroll method and system based on smart contracts
US11182782B2 (en) 2016-02-23 2021-11-23 nChain Holdings Limited Tokenisation method and system for implementing exchanges on a blockchain
US11194898B2 (en) 2016-02-23 2021-12-07 nChain Holdings Limited Agent-based turing complete transactions integrating feedback within a blockchain system
US11308486B2 (en) 2016-02-23 2022-04-19 nChain Holdings Limited Method and system for the secure transfer of entities on a blockchain
US11373152B2 (en) 2016-02-23 2022-06-28 nChain Holdings Limited Universal tokenisation system for blockchain-based cryptocurrencies
US11410145B2 (en) 2016-02-23 2022-08-09 nChain Holdings Limited Blockchain-implemented method for control and distribution of digital content
US11455378B2 (en) 2016-02-23 2022-09-27 nChain Holdings Limited Method and system for securing computer software using a distributed hash table and a blockchain
US11606219B2 (en) 2016-02-23 2023-03-14 Nchain Licensing Ag System and method for controlling asset-related actions via a block chain
US11625694B2 (en) 2016-02-23 2023-04-11 Nchain Licensing Ag Blockchain-based exchange with tokenisation
US11727501B2 (en) 2016-02-23 2023-08-15 Nchain Licensing Ag Cryptographic method and system for secure extraction of data from a blockchain
US12107952B2 (en) 2016-02-23 2024-10-01 Nchain Licensing Ag Methods and systems for efficient transfer of entities on a peer-to-peer distributed ledger using the blockchain

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB9610154D0 (en) * 1996-05-15 1996-07-24 Certicom Corp Tool kit protocol
US6782100B1 (en) 1997-01-29 2004-08-24 Certicom Corp. Accelerated finite field operations on an elliptic curve
US6279110B1 (en) 1997-11-10 2001-08-21 Certicom Corporation Masked digital signatures
DE69930334T2 (en) * 1998-01-28 2006-11-09 Hitachi, Ltd. IC card equipped with a processing system for elliptic curve encryption
DE69906897T2 (en) * 1998-09-03 2004-01-29 Nippon Telegraph & Telephone Device and method for elliptic curve multiplication and recording medium with a program for executing the method recorded on it
CA2257008C (en) * 1998-12-24 2007-12-11 Certicom Corp. A method for accelerating cryptographic operations on elliptic curves
US20020057796A1 (en) * 1998-12-24 2002-05-16 Lambert Robert J. Method for accelerating cryptographic operations on elliptic curves
FR2807898B1 (en) * 2000-04-18 2002-06-28 Gemplus Card Int ELLIPTICAL CURVE CRYPTOGRAPHY PROCESS
US7043456B2 (en) * 2000-06-05 2006-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Mobile electronic transaction personal proxy
US6871278B1 (en) 2000-07-06 2005-03-22 Lasercard Corporation Secure transactions with passive storage media
AU2002239879A1 (en) * 2001-01-10 2002-07-24 Davide R. Grassetti Method of immunomodulation using thione-forming disulfides
US20060269061A1 (en) * 2001-01-11 2006-11-30 Cardinalcommerce Corporation Mobile device and method for dispensing authentication codes
US7606771B2 (en) * 2001-01-11 2009-10-20 Cardinalcommerce Corporation Dynamic number authentication for credit/debit cards
US7194618B1 (en) 2001-03-05 2007-03-20 Suominen Edwin A Encryption and authentication systems and methods
US8261975B2 (en) * 2001-03-07 2012-09-11 Diebold, Incorporated Automated banking machine that operates responsive to data bearing records
US7216083B2 (en) * 2001-03-07 2007-05-08 Diebold, Incorporated Automated transaction machine digital signature system and method
GB2409090B (en) * 2001-04-06 2005-08-17 Freedom Card Ltd Payment system
US8645266B2 (en) * 2002-06-12 2014-02-04 Cardinalcommerce Corporation Universal merchant platform for payment authentication
US7693783B2 (en) * 2002-06-12 2010-04-06 Cardinalcommerce Corporation Universal merchant platform for payment authentication
CA2492715C (en) * 2002-06-12 2016-12-06 Cardinalcommerce Corporation Universal merchant platform for payment authentication
JP4752176B2 (en) * 2003-09-11 2011-08-17 日本電信電話株式会社 Unidirectional function calculation method, apparatus and program
US7711957B2 (en) * 2003-09-30 2010-05-04 Siemens Aktiengesellschaft Granting access to a computer-based object
DE502004006338D1 (en) * 2003-09-30 2008-04-10 Siemens Ag CLEARING ACCESS TO A COMPUTER-BASED OBJECT
GB2407948B (en) * 2003-11-08 2006-06-21 Hewlett Packard Development Co Smartcard with cryptographic functionality and method and system for using such cards
JP2005141160A (en) * 2003-11-10 2005-06-02 Japan Science & Technology Agency Secure processor
US8467535B2 (en) * 2005-01-18 2013-06-18 Certicom Corp. Accelerated verification of digital signatures and public keys
CA2592875C (en) 2005-01-18 2016-09-06 Certicom Corp. Accelerated verification of digital signatures and public keys
CA2550362C (en) * 2005-06-14 2015-12-01 Certicom Corp. Enhanced key agreement and transport protocol
JP5001176B2 (en) * 2005-12-28 2012-08-15 パナソニック株式会社 Signature generation apparatus, signature generation method, and signature generation program
US20100027785A1 (en) * 2006-11-03 2010-02-04 Lasercard Corporation Device and method for security handshaking using mixed media
US8762210B2 (en) 2008-06-03 2014-06-24 Cardinalcommerce Corporation Alternative payment implementation for electronic retailers
US10157375B2 (en) 2008-06-03 2018-12-18 Cardinalcommerce Corporation Alternative payment implementation for electronic retailers
US8745376B2 (en) 2011-10-14 2014-06-03 Certicom Corp. Verifying implicit certificates and digital signatures
RU154072U1 (en) * 2011-11-14 2015-08-10 Васко Дэйта Секьюрити Интернэшнл Гмбх SMART CARD READER WITH SAFE JOURNALING FUNCTION
FR3035986B1 (en) * 2015-05-06 2018-07-27 Morpho METHOD FOR GENERATING A MESSAGE SIGNATURE FROM A DIGITAL SIGNATURE TOKEN USING A HOMOMORPHIC ENCRYPTION FUNCTION
RU2716042C1 (en) 2016-07-15 2020-03-05 Кардиналкоммерс Корпорейшн Bridge between authentication and authorization using extended messages
US10341098B2 (en) * 2017-01-24 2019-07-02 Nxp B.V. Method of generating cryptographic key pairs
US11113095B2 (en) 2019-04-30 2021-09-07 Automation Anywhere, Inc. Robotic process automation system with separate platform, bot and command class loaders
US11481304B1 (en) 2019-12-22 2022-10-25 Automation Anywhere, Inc. User action generated process discovery
US12111646B2 (en) 2020-08-03 2024-10-08 Automation Anywhere, Inc. Robotic process automation with resilient playback of recordings
WO2023063923A1 (en) * 2021-10-11 2023-04-20 Lexmark International, Inc Methods and systems for determining the authenticity of a component using elliptic-curve cryptography

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5146500A (en) 1991-03-14 1992-09-08 Omnisec A.G. Public key cryptographic system using elliptic curves over rings
US5159632A (en) 1991-09-17 1992-10-27 Next Computer, Inc. Method and apparatus for public key exchange in a cryptographic system
US5271061A (en) 1991-09-17 1993-12-14 Next Computer, Inc. Method and apparatus for public key exchange in a cryptographic system
US5272755A (en) 1991-06-28 1993-12-21 Matsushita Electric Industrial Co., Ltd. Public key cryptosystem with an elliptic curve
US5351297A (en) 1991-06-28 1994-09-27 Matsushita Electric Industrial Co., Ltd. Method of privacy communication using elliptic curves
US5442707A (en) 1992-09-28 1995-08-15 Matsushita Electric Industrial Co., Ltd. Method for generating and verifying electronic signatures and privacy communication using elliptic curves
US5497423A (en) 1993-06-18 1996-03-05 Matsushita Electric Industrial Co., Ltd. Method of implementing elliptic curve cryptosystems in digital signatures or verification and privacy communication

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4649233A (en) * 1985-04-11 1987-03-10 International Business Machines Corporation Method for establishing user authenication with composite session keys among cryptographically communicating nodes
US5231668A (en) * 1991-07-26 1993-07-27 The United States Of America, As Represented By The Secretary Of Commerce Digital signature algorithm
US5265164A (en) * 1991-10-31 1993-11-23 International Business Machines Corporation Cryptographic facility environment backup/restore and replication in a public key cryptosystem
US5164988A (en) * 1991-10-31 1992-11-17 International Business Machines Corporation Method to establish and enforce a network cryptographic security policy in a public key cryptosystem
US5299263A (en) * 1993-03-04 1994-03-29 Bell Communications Research, Inc. Two-way public key authentication and key agreement for low-cost terminals
WO1996004602A1 (en) 1994-07-29 1996-02-15 Certicom Corp. Elliptic curve encryption systems
US6442707B1 (en) * 1999-10-29 2002-08-27 Advanced Micro Devices, Inc. Alternate fault handler

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5146500A (en) 1991-03-14 1992-09-08 Omnisec A.G. Public key cryptographic system using elliptic curves over rings
US5272755A (en) 1991-06-28 1993-12-21 Matsushita Electric Industrial Co., Ltd. Public key cryptosystem with an elliptic curve
US5351297A (en) 1991-06-28 1994-09-27 Matsushita Electric Industrial Co., Ltd. Method of privacy communication using elliptic curves
US5159632A (en) 1991-09-17 1992-10-27 Next Computer, Inc. Method and apparatus for public key exchange in a cryptographic system
US5271061A (en) 1991-09-17 1993-12-14 Next Computer, Inc. Method and apparatus for public key exchange in a cryptographic system
US5463690A (en) 1991-09-17 1995-10-31 Next Computer, Inc. Method and apparatus for public key exchange in a cryptographic system
US5442707A (en) 1992-09-28 1995-08-15 Matsushita Electric Industrial Co., Ltd. Method for generating and verifying electronic signatures and privacy communication using elliptic curves
US5497423A (en) 1993-06-18 1996-03-05 Matsushita Electric Industrial Co., Ltd. Method of implementing elliptic curve cryptosystems in digital signatures or verification and privacy communication

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"Communications of the ACM"; (vol. 35, No. 7, Jul. 1992); pp. 33-34, 36-54.
Kranakis, Evangelos, "Primality and Cryptography"; (John Wiley & Sons; New York; 1986); pp. 98-99.
Kranakis, Evangelos, "Theoretical Aspects of the Security of Public Key Cryptography"; (Yale University; New Haven; Sep. 1984); p. 105.
Luby, Michael, "Pseudorandomness and Cryptographic Applications"; (Princeton University Press; Princeton; 1996); p. 51.
Menezes, Alfred, "Elliptic Curve Public Key Cryptosystems"; (Kluwer Academic Publishers; Boston; 1993); pp. 10-13.
Menezes, Alfred, et al., "Journal of Cryptography"; (vol. 6, No. 4, Autumn 1993); pp. 209-223).
Nissan, Noam, "Using Hard Problems to Create Pseudorandom Generators"; (published as "An ACM Distinguished Dissertation (1990)" in 1992); pp. 3-4.
Schneier, Bruce, "Applied Cryptography"; (John Wiley & Sons; New York; 1994); pp. 39-41.

Cited By (63)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070217601A1 (en) * 2001-12-31 2007-09-20 Lambert Robert J Method and apparatus for elliptic curve scalar multiplication
US7412062B2 (en) * 2001-12-31 2008-08-12 Certicom Corp. Method and apparatus for elliptic curve scalar multiplication
US8352380B2 (en) * 2004-05-19 2013-01-08 France Telecom Method and system for generating a list signature
CN1954546B (en) * 2004-05-19 2012-08-22 法国电信公司 Method and system for generating a list signature
US20080046310A1 (en) * 2004-05-19 2008-02-21 France Telecom Method and System for Generating a List Signature
US20060153370A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Generating public-private key pair based on user input data
US7593527B2 (en) 2005-01-07 2009-09-22 First Data Corporation Providing digital signature and public key based on shared knowledge
US20060153366A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Verifying digital signature based on shared knowledge
US20060153367A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature system based on shared knowledge
US20060153365A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Providing digital signature and public key based on shared knowledge
US7936869B2 (en) 2005-01-07 2011-05-03 First Data Corporation Verifying digital signature based on shared knowledge
US20060153368A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Software for providing based on shared knowledge public keys having same private key
US20060153364A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Asymmetric key cryptosystem based on shared knowledge
US20060156012A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Facilitating digital signature based on ephemeral private key
US20060156013A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature software using ephemeral private key and system
US7693277B2 (en) 2005-01-07 2010-04-06 First Data Corporation Generating digital signatures using ephemeral cryptographic key
US7490239B2 (en) 2005-01-07 2009-02-10 First Data Corporation Facilitating digital signature based on ephemeral private key
US20060153369A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Providing cryptographic key based on user input data
US7869593B2 (en) 2005-01-07 2011-01-11 First Data Corporation Software for providing based on shared knowledge public keys having same private key
US20060153371A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Generating digital signatures using ephemeral cryptographic key
EP1729442A2 (en) 2005-06-03 2006-12-06 Tata Consultancy Services Limited An authentication system executing an elliptic curve digital signature cryptographic process
US20090013188A1 (en) * 2006-01-30 2009-01-08 Koninklijke Philips Electronics N.V. Search for a Watermark in a Data Signal
WO2007094763A2 (en) * 2006-02-09 2007-08-23 Atmel Corporation Data security including real-time key generation
WO2007094763A3 (en) * 2006-02-09 2009-04-23 Atmel Corp Data security including real-time key generation
US20100020968A1 (en) * 2008-01-04 2010-01-28 Arcsoft, Inc. Protection Scheme for AACS Keys
US9137015B2 (en) * 2008-01-04 2015-09-15 Arcsoft, Inc. Protection scheme for AACS keys
US20100125741A1 (en) * 2008-11-20 2010-05-20 Seagate Technology Llc Optical disc emulator
US9678896B2 (en) 2008-11-24 2017-06-13 Certicom Corp. System and method for hardware based security
US8631247B2 (en) 2008-11-24 2014-01-14 Certicom Corp. System and method for hardware based security
US9183158B2 (en) 2008-11-24 2015-11-10 Certicom Corp. System and method for hardware based security
US8560856B2 (en) 2010-10-01 2013-10-15 Futurewei Technologies, Inc. Lightweight secure neighbor discovery protocol for low-power and lossy networks
US11308486B2 (en) 2016-02-23 2022-04-19 nChain Holdings Limited Method and system for the secure transfer of entities on a blockchain
US12032677B2 (en) 2016-02-23 2024-07-09 Nchain Licensing Ag Agent-based turing complete transactions integrating feedback within a blockchain system
US11347838B2 (en) 2016-02-23 2022-05-31 Nchain Holdings Ltd. Blockchain implemented counting system and method for use in secure voting and distribution
US10652014B2 (en) 2016-02-23 2020-05-12 nChain Holdings Limited Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
US10659223B2 (en) 2016-02-23 2020-05-19 nChain Holdings Limited Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
US10715336B2 (en) 2016-02-23 2020-07-14 nChain Holdings Limited Personal device security using elliptic curve cryptography for secret sharing
US11356280B2 (en) 2016-02-23 2022-06-07 Nchain Holdings Ltd Personal device security using cryptocurrency wallets
US12107952B2 (en) 2016-02-23 2024-10-01 Nchain Licensing Ag Methods and systems for efficient transfer of entities on a peer-to-peer distributed ledger using the blockchain
EP3862956A1 (en) 2016-02-23 2021-08-11 Nchain Holdings Limited Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
US11120437B2 (en) 2016-02-23 2021-09-14 nChain Holdings Limited Registry and automated management method for blockchain-enforced smart contracts
US11126976B2 (en) 2016-02-23 2021-09-21 nChain Holdings Limited Method and system for efficient transfer of cryptocurrency associated with a payroll on a blockchain that leads to an automated payroll method and system based on smart contracts
US11182782B2 (en) 2016-02-23 2021-11-23 nChain Holdings Limited Tokenisation method and system for implementing exchanges on a blockchain
US11194898B2 (en) 2016-02-23 2021-12-07 nChain Holdings Limited Agent-based turing complete transactions integrating feedback within a blockchain system
US11349645B2 (en) 2016-02-23 2022-05-31 Nchain Holdings Ltd. Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
EP4383643A2 (en) 2016-02-23 2024-06-12 nChain Licensing AG Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
US11972422B2 (en) 2016-02-23 2024-04-30 Nchain Licensing Ag Registry and automated management method for blockchain-enforced smart contracts
US11936774B2 (en) 2016-02-23 2024-03-19 Nchain Licensing Ag Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
US11373152B2 (en) 2016-02-23 2022-06-28 nChain Holdings Limited Universal tokenisation system for blockchain-based cryptocurrencies
US11410145B2 (en) 2016-02-23 2022-08-09 nChain Holdings Limited Blockchain-implemented method for control and distribution of digital content
US11455378B2 (en) 2016-02-23 2022-09-27 nChain Holdings Limited Method and system for securing computer software using a distributed hash table and a blockchain
US11606219B2 (en) 2016-02-23 2023-03-14 Nchain Licensing Ag System and method for controlling asset-related actions via a block chain
US11621833B2 (en) 2016-02-23 2023-04-04 Nchain Licensing Ag Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
US11625694B2 (en) 2016-02-23 2023-04-11 Nchain Licensing Ag Blockchain-based exchange with tokenisation
US11727501B2 (en) 2016-02-23 2023-08-15 Nchain Licensing Ag Cryptographic method and system for secure extraction of data from a blockchain
US11755718B2 (en) 2016-02-23 2023-09-12 Nchain Licensing Ag Blockchain implemented counting system and method for use in secure voting and distribution
EP4274154A2 (en) 2016-02-23 2023-11-08 nChain Licensing AG Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
WO2019220271A1 (en) 2018-05-14 2019-11-21 nChain Holdings Limited Computer-implemented systems and methods for using a blockchain to perform an atomic swap
EP4451611A2 (en) 2018-05-14 2024-10-23 nChain Licensing AG Computer-implemented systems and methods for using a blockchain to perform an atomic swap
WO2019220270A1 (en) 2018-05-14 2019-11-21 nChain Holdings Limited Computer-implemented systems and methods for using a blockchain to perform an atomic swap
WO2020058806A1 (en) 2018-09-21 2020-03-26 nChain Holdings Limited Computer implemented system and method for sharing a common secret
US11057206B2 (en) 2018-10-24 2021-07-06 Samsung Electronics Co., Ltd. Random number generator, encryption device including the same, and method of operating the encryption device
WO2021005474A1 (en) 2019-07-11 2021-01-14 nChain Holdings Limited Computer-implemented system and method for facilitating transactions associated with a blockchain using a network identifier for participating entities

Also Published As

Publication number Publication date
EP2800043A1 (en) 2014-11-05
CA2202566C (en) 2006-12-12
US20020095583A1 (en) 2002-07-18
US6925564B1 (en) 2005-08-02
EP2800043B1 (en) 2019-10-09
US5999626A (en) 1999-12-07
US20050039023A1 (en) 2005-02-17
CA2202566A1 (en) 1997-10-16
EP0807908A2 (en) 1997-11-19
EP0807908A3 (en) 2004-04-14
US20080310625A1 (en) 2008-12-18
CA2640992A1 (en) 1997-10-16
US20070177726A1 (en) 2007-08-02
EP0807908B1 (en) 2014-06-25

Similar Documents

Publication Publication Date Title
US6704870B2 (en) Digital signatures on a Smartcard
Naccache et al. Can DSA be improved?—Complexity trade-offs with the digital signature standard—
US8966271B2 (en) Data card verification system
EP1873960B1 (en) Method for session key derivation in a IC card
EP0348812B1 (en) Authentication method and apparatus therefor
US7590846B2 (en) Public key cryptographic method of protecting an electronic chip against fraud
US7856101B2 (en) Method for elliptic curve scalar multiplication
EP0682327A2 (en) Method and apparatus for memory efficient variants of public key encryption and identification schemes for smart card applications
WO1998034202A9 (en) Data card verification system
US7000110B1 (en) One-way function generation method, one-way function value generation device, proving device, authentication method, and authentication device
US8102998B2 (en) Method for elliptic curve scalar multiplication using parameterized projective coordinates
US20080273695A1 (en) Method for elliptic curve scalar multiplication using parameterized projective coordinates
US6003764A (en) Method of securely storing and retrieving monetary data
JP3704162B2 (en) Secret transfer method for exchanging two certificates between two microcomputers performing repetitive authentication
Knobloch A smart card implementation of the Fiat-Shamir identification scheme
CA2540787C (en) Digital signatures on a smartcard
Pavlovski Applied batch cryptography
JPH0237383A (en) Prime number generating system
AU1873397A (en) Method of securely storing and retrieving monetary data

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
AS Assignment

Owner name: CERTICOM CORP., CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MENEZES, ALFRED J.;REEL/FRAME:017988/0196

Effective date: 20060721

AS Assignment

Owner name: CERTICOM CORP., CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MENEZES, ALFRED J.;REEL/FRAME:019353/0543

Effective date: 20070529

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

FPAY Fee payment

Year of fee payment: 12